iptables-1.8.7-12.el9

- arptables-nft-helper: Remove bashisms
- ebtables-helper: Drop unused variable, add a missing quote
- extensions: libxt_string: Avoid buffer size warning for strncpy()
- libxtables: Introduce xtables_strdup() and use it everywhere
- extensions: libebt_ip6: Use xtables_ip6parse_any()
- iptables-apply: Drop unused variable
- nft: Avoid buffer size warnings copying iface names
- nft: Avoid memleak in error path of nft_cmd_new()
- libxtables: Fix memleak in xtopt_parse_hostmask()
- extensions: libebt_ip6: Drop unused variables
- libxtables: Drop leftover variable in xtables_numeric_to_ip6addr()

Resolves: RHBZ#1938745
This commit is contained in:
Phil Sutter 2021-06-10 18:29:44 +02:00
parent c842cc8e23
commit 18fd73d348
12 changed files with 955 additions and 13 deletions

View File

@ -0,0 +1,33 @@
From 5432b8f6fb2c3643bd06a965ae99d52d84b4fa10 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 13 Nov 2020 21:04:39 +0100
Subject: [PATCH] libxtables: Drop leftover variable in
xtables_numeric_to_ip6addr()
Variable 'err' was only used in removed debug code, so drop it as well.
Fixes: 7f526c9373c17 ("libxtables: xtables: remove unnecessary debug code")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 97fabae738a74bd04a7793e1199cd2b8a69122bc)
---
libxtables/xtables.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index bc42ba8221f3a..6947441fec659 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -1812,9 +1812,8 @@ const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp)
struct in6_addr *xtables_numeric_to_ip6addr(const char *num)
{
static struct in6_addr ap;
- int err;
- if ((err = inet_pton(AF_INET6, num, &ap)) == 1)
+ if (inet_pton(AF_INET6, num, &ap) == 1)
return &ap;
return NULL;
--
2.31.1

View File

@ -0,0 +1,49 @@
From fb53fa061d1f67bd18845fdb8f6e13e5929cf15a Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 13 Nov 2020 21:13:50 +0100
Subject: [PATCH] extensions: libebt_ip6: Drop unused variables
They are being assigned to but never read.
Fixes: 5c8ce9c6aede0 ("ebtables-compat: add 'ip6' match extension")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 8bb5bcae57c83066c224efa5fd29ed4822a766fc)
---
extensions/libebt_ip6.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
index b8a5a5d8c3a92..301bed9aadefd 100644
--- a/extensions/libebt_ip6.c
+++ b/extensions/libebt_ip6.c
@@ -250,9 +250,8 @@ static void brip6_init(struct xt_entry_match *match)
static struct in6_addr *numeric_to_addr(const char *num)
{
static struct in6_addr ap;
- int err;
- if ((err=inet_pton(AF_INET6, num, &ap)) == 1)
+ if (inet_pton(AF_INET6, num, &ap) == 1)
return &ap;
return (struct in6_addr *)NULL;
}
@@ -292,7 +291,6 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i
char buf[256];
char *p;
int i;
- int err;
strncpy(buf, address, sizeof(buf) - 1);
/* first the mask */
@@ -309,7 +307,7 @@ static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct i
if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any)))
strcpy(buf, "::");
- if ((err=inet_pton(AF_INET6, buf, addr)) < 1) {
+ if (inet_pton(AF_INET6, buf, addr) < 1) {
xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf);
return;
}
--
2.31.1

View File

@ -0,0 +1,29 @@
From eece041510effa3359135f92714cfa4012bd8922 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 11:04:30 +0200
Subject: [PATCH] libxtables: Fix memleak in xtopt_parse_hostmask()
The allocated hostmask duplicate needs to be freed again.
Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit ffe88f8f01263687e82ef4d3d2bdc0cb5444711e)
---
libxtables/xtoptions.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index d329f2ff7979e..0dcdf607f4678 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -763,6 +763,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb)
cb->arg = p;
xtopt_parse_plenmask(cb);
cb->arg = orig_arg;
+ free(work);
}
static void xtopt_parse_ethermac(struct xt_option_call *cb)
--
2.31.1

View File

@ -0,0 +1,34 @@
From c5188cd7e1b2d54a63dac25b6f84f2ab26f7b8fc Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 11:55:20 +0200
Subject: [PATCH] nft: Avoid memleak in error path of nft_cmd_new()
If rule allocation fails, free the allocated 'cmd' before returning to
caller.
Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit eab75ed36a4f204ddab0c40ba42c5a300634d5c3)
---
iptables/nft-cmd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
index 5d33f1f00f574..9b0c964847615 100644
--- a/iptables/nft-cmd.c
+++ b/iptables/nft-cmd.c
@@ -35,8 +35,10 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
if (state) {
rule = nft_rule_new(h, chain, table, state);
- if (!rule)
+ if (!rule) {
+ nft_cmd_free(cmd);
return NULL;
+ }
cmd->obj.rule = rule;
--
2.31.1

View File

@ -0,0 +1,56 @@
From dda5f0d0ebbcb39f4e001335f70159121f554886 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 11:58:06 +0200
Subject: [PATCH] nft: Avoid buffer size warnings copying iface names
The call to strncpy() is actually not needed: source buffer is only
IFNAMSIZ bytes large and guaranteed to be null-terminated. Use this to
avoid compiler warnings due to size parameter matching the destination
buffer size by performing the copy using (dumb) memcpy() instead.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 0729ab37c5d90b78dd3bc8c9addb8a1c60708eff)
---
iptables/nft-ipv4.c | 4 ++--
iptables/nft-ipv6.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index a5b835b1f681d..34f94bd8cc24a 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -348,11 +348,11 @@ static void nft_ipv4_post_parse(int command,
*/
cs->fw.ip.invflags = args->invflags;
- strncpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ);
+ memcpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ);
memcpy(cs->fw.ip.iniface_mask,
args->iniface_mask, IFNAMSIZ*sizeof(unsigned char));
- strncpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ);
+ memcpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ);
memcpy(cs->fw.ip.outiface_mask,
args->outiface_mask, IFNAMSIZ*sizeof(unsigned char));
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 46008fc5e762a..d9c9400ad7dc3 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -293,11 +293,11 @@ static void nft_ipv6_post_parse(int command, struct iptables_command_state *cs,
*/
cs->fw6.ipv6.invflags = args->invflags;
- strncpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ);
+ memcpy(cs->fw6.ipv6.iniface, args->iniface, IFNAMSIZ);
memcpy(cs->fw6.ipv6.iniface_mask,
args->iniface_mask, IFNAMSIZ*sizeof(unsigned char));
- strncpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ);
+ memcpy(cs->fw6.ipv6.outiface, args->outiface, IFNAMSIZ);
memcpy(cs->fw6.ipv6.outiface_mask,
args->outiface_mask, IFNAMSIZ*sizeof(unsigned char));
--
2.31.1

View File

@ -0,0 +1,29 @@
From b12c597d663462d101ea5ab114f7a499065eb9b2 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 12:50:57 +0200
Subject: [PATCH] iptables-apply: Drop unused variable
It was assigned to but never read.
Fixes: b45b4e3903414 ("iptables-apply: script and manpage update")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 084671d5acaaf749648e828c2ed3b319de651764)
---
iptables/iptables-apply | 1 -
1 file changed, 1 deletion(-)
diff --git a/iptables/iptables-apply b/iptables/iptables-apply
index 4683b1b402d08..3a7df5e3cbc1f 100755
--- a/iptables/iptables-apply
+++ b/iptables/iptables-apply
@@ -231,7 +231,6 @@ case "$MODE" in
"$RUNCMD" &
CMD_PID=$!
( sleep "$TIMEOUT"; kill "$CMD_PID" 2>/dev/null; exit 0 ) &
- CMDTIMEOUT_PID=$!
if ! wait "$CMD_PID"; then
echo "failed."
echo "Error: unknown error running command: $RUNCMD" >&2
--
2.31.1

View File

@ -0,0 +1,109 @@
From 4ddde566b4af111536918b17e558c7bb4531335f Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 14:04:43 +0200
Subject: [PATCH] extensions: libebt_ip6: Use xtables_ip6parse_any()
The code was almost identical and suffered from the same problem as
fixed in commit a76a5c997a235 ("libxtables: fix two off-by-one memory
corruption bugs").
The only functional change this involves is ebt_parse_ip6_address() will
now accept hostnames as well.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit ca840c20b7b754d36a1abe7e597fd730dea142d4)
---
extensions/libebt_ip6.c | 74 ++++++-----------------------------------
1 file changed, 10 insertions(+), 64 deletions(-)
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
index 301bed9aadefd..3cc39271d4658 100644
--- a/extensions/libebt_ip6.c
+++ b/extensions/libebt_ip6.c
@@ -247,73 +247,19 @@ static void brip6_init(struct xt_entry_match *match)
memset(ipinfo->dmsk.s6_addr, 0, sizeof(ipinfo->dmsk.s6_addr));
}
-static struct in6_addr *numeric_to_addr(const char *num)
+/* wrap xtables_ip6parse_any(), ignoring any but the first returned address */
+static void ebt_parse_ip6_address(char *address,
+ struct in6_addr *addr, struct in6_addr *msk)
{
- static struct in6_addr ap;
-
- if (inet_pton(AF_INET6, num, &ap) == 1)
- return &ap;
- return (struct in6_addr *)NULL;
-}
-
-static struct in6_addr *parse_ip6_mask(char *mask)
-{
- static struct in6_addr maskaddr;
struct in6_addr *addrp;
- unsigned int bits;
-
- if (mask == NULL) {
- /* no mask at all defaults to 128 bits */
- memset(&maskaddr, 0xff, sizeof maskaddr);
- return &maskaddr;
- }
- if ((addrp = numeric_to_addr(mask)) != NULL)
- return addrp;
- if (!xtables_strtoui(mask, NULL, &bits, 0, 128))
- xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Mask '%s' specified", mask);
- if (bits != 0) {
- char *p = (char *)&maskaddr;
- memset(p, 0xff, bits / 8);
- memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
- p[bits / 8] = 0xff << (8 - (bits & 7));
- return &maskaddr;
- }
+ unsigned int naddrs;
- memset(&maskaddr, 0, sizeof maskaddr);
- return &maskaddr;
-}
-
-/* Set the ipv6 mask and address. Callers should check ebt_errormsg[0].
- * The string pointed to by address can be altered. */
-static void ebt_parse_ip6_address(char *address, struct in6_addr *addr, struct in6_addr *msk)
-{
- struct in6_addr *tmp_addr;
- char buf[256];
- char *p;
- int i;
-
- strncpy(buf, address, sizeof(buf) - 1);
- /* first the mask */
- buf[sizeof(buf) - 1] = '\0';
- if ((p = strrchr(buf, '/')) != NULL) {
- *p = '\0';
- tmp_addr = parse_ip6_mask(p + 1);
- } else
- tmp_addr = parse_ip6_mask(NULL);
-
- *msk = *tmp_addr;
-
- /* if a null mask is given, the name is ignored, like in "any/0" */
- if (!memcmp(msk, &in6addr_any, sizeof(in6addr_any)))
- strcpy(buf, "::");
-
- if (inet_pton(AF_INET6, buf, addr) < 1) {
- xtables_error(PARAMETER_PROBLEM, "Invalid IPv6 Address '%s' specified", buf);
- return;
- }
-
- for (i = 0; i < 4; i++)
- addr->s6_addr32[i] &= msk->s6_addr32[i];
+ xtables_ip6parse_any(address, &addrp, msk, &naddrs);
+ if (naddrs != 1)
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid IPv6 Address '%s' specified", address);
+ memcpy(addr, addrp, sizeof(*addr));
+ free(addrp);
}
#define OPT_SOURCE 0x01
--
2.31.1

View File

@ -0,0 +1,554 @@
From 6648a2090e4395541e4fd6b4be077fd4c2cf20cb Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 12:56:06 +0200
Subject: [PATCH] libxtables: Introduce xtables_strdup() and use it everywhere
This wraps strdup(), checking for errors.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 9b85e1ab3dbf0d9344562c5c76114496e3ebaa3a)
---
extensions/libebt_ip.c | 3 ++-
extensions/libebt_ip6.c | 2 +-
extensions/libebt_stp.c | 3 ++-
extensions/libip6t_DNAT.c | 4 +---
extensions/libip6t_SNAT.c | 4 +---
extensions/libip6t_dst.c | 8 +++-----
extensions/libip6t_hbh.c | 7 +++----
extensions/libip6t_ipv6header.c | 2 +-
extensions/libip6t_mh.c | 2 +-
extensions/libip6t_rt.c | 7 +++----
extensions/libipt_DNAT.c | 8 ++------
extensions/libipt_SNAT.c | 4 +---
extensions/libxt_dccp.c | 2 +-
extensions/libxt_hashlimit.c | 5 +----
extensions/libxt_iprange.c | 4 +---
extensions/libxt_multiport.c | 6 ++----
extensions/libxt_sctp.c | 4 ++--
extensions/libxt_set.h | 4 ++--
extensions/libxt_tcp.c | 4 ++--
include/xtables.h | 1 +
iptables/iptables-xml.c | 4 ++--
iptables/nft-cache.c | 4 ++--
iptables/nft-cmd.c | 13 +++++++------
iptables/xshared.c | 2 +-
libxtables/xtables.c | 12 ++++++++++++
libxtables/xtoptions.c | 14 +++-----------
26 files changed, 60 insertions(+), 73 deletions(-)
diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c
index acb9bfcdbbd9f..51649ffb3c305 100644
--- a/extensions/libebt_ip.c
+++ b/extensions/libebt_ip.c
@@ -175,7 +175,8 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports)
char *buffer;
char *cp;
- buffer = strdup(portstring);
+ buffer = xtables_strdup(portstring);
+
if ((cp = strchr(buffer, ':')) == NULL)
ports[0] = ports[1] = xtables_parse_port(buffer, NULL);
else {
diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c
index 3cc39271d4658..a686a285c3cb8 100644
--- a/extensions/libebt_ip6.c
+++ b/extensions/libebt_ip6.c
@@ -93,7 +93,7 @@ parse_port_range(const char *protocol, const char *portstring, uint16_t *ports)
char *buffer;
char *cp;
- buffer = strdup(portstring);
+ buffer = xtables_strdup(portstring);
if ((cp = strchr(buffer, ':')) == NULL)
ports[0] = ports[1] = xtables_parse_port(buffer, NULL);
else {
diff --git a/extensions/libebt_stp.c b/extensions/libebt_stp.c
index 81ba572c33c1a..3e9e24474eb61 100644
--- a/extensions/libebt_stp.c
+++ b/extensions/libebt_stp.c
@@ -90,7 +90,8 @@ static int parse_range(const char *portstring, void *lower, void *upper,
uint32_t low_nr, upp_nr;
int ret = 0;
- buffer = strdup(portstring);
+ buffer = xtables_strdup(portstring);
+
if ((cp = strchr(buffer, ':')) == NULL) {
low_nr = strtoul(buffer, &end, 10);
if (*end || low_nr < min || low_nr > max) {
diff --git a/extensions/libip6t_DNAT.c b/extensions/libip6t_DNAT.c
index 89c5ceb153250..f1ad81436316b 100644
--- a/extensions/libip6t_DNAT.c
+++ b/extensions/libip6t_DNAT.c
@@ -58,9 +58,7 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range2 *range, int rev)
char *arg, *start, *end = NULL, *colon = NULL, *dash, *error;
const struct in6_addr *ip;
- arg = strdup(orig_arg);
- if (arg == NULL)
- xtables_error(RESOURCE_PROBLEM, "strdup");
+ arg = xtables_strdup(orig_arg);
start = strchr(arg, '[');
if (start == NULL) {
diff --git a/extensions/libip6t_SNAT.c b/extensions/libip6t_SNAT.c
index 7d74b3d76a93c..6d19614c7c708 100644
--- a/extensions/libip6t_SNAT.c
+++ b/extensions/libip6t_SNAT.c
@@ -52,9 +52,7 @@ parse_to(const char *orig_arg, int portok, struct nf_nat_range *range)
char *arg, *start, *end = NULL, *colon = NULL, *dash, *error;
const struct in6_addr *ip;
- arg = strdup(orig_arg);
- if (arg == NULL)
- xtables_error(RESOURCE_PROBLEM, "strdup");
+ arg = xtables_strdup(orig_arg);
start = strchr(arg, '[');
if (start == NULL) {
diff --git a/extensions/libip6t_dst.c b/extensions/libip6t_dst.c
index fe7e3403468ce..bf0e3e436665d 100644
--- a/extensions/libip6t_dst.c
+++ b/extensions/libip6t_dst.c
@@ -57,11 +57,9 @@ parse_options(const char *optsstr, uint16_t *opts)
{
char *buffer, *cp, *next, *range;
unsigned int i;
-
- buffer = strdup(optsstr);
- if (!buffer)
- xtables_error(OTHER_PROBLEM, "strdup failed");
-
+
+ buffer = xtables_strdup(optsstr);
+
for (cp = buffer, i = 0; cp && i < IP6T_OPTS_OPTSNR; cp = next, i++)
{
next = strchr(cp, ',');
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index 4cebecfd3d2f5..74e87cda7eea1 100644
--- a/extensions/libip6t_hbh.c
+++ b/extensions/libip6t_hbh.c
@@ -57,10 +57,9 @@ parse_options(const char *optsstr, uint16_t *opts)
{
char *buffer, *cp, *next, *range;
unsigned int i;
-
- buffer = strdup(optsstr);
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
-
+
+ buffer = xtables_strdup(optsstr);
+
for (cp=buffer, i=0; cp && i<IP6T_OPTS_OPTSNR; cp=next,i++)
{
next=strchr(cp, ',');
diff --git a/extensions/libip6t_ipv6header.c b/extensions/libip6t_ipv6header.c
index 6f03087bb79d8..9e34562966f8b 100644
--- a/extensions/libip6t_ipv6header.c
+++ b/extensions/libip6t_ipv6header.c
@@ -147,7 +147,7 @@ parse_header(const char *flags) {
char *ptr;
char *buffer;
- buffer = strdup(flags);
+ buffer = xtables_strdup(flags);
for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ","))
ret |= add_proto_to_mask(name_to_proto(ptr));
diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
index f4c0fd9fc0bca..64675405ac724 100644
--- a/extensions/libip6t_mh.c
+++ b/extensions/libip6t_mh.c
@@ -107,7 +107,7 @@ static void parse_mh_types(const char *mhtype, uint8_t *types)
char *buffer;
char *cp;
- buffer = strdup(mhtype);
+ buffer = xtables_strdup(mhtype);
if ((cp = strchr(buffer, ':')) == NULL)
types[0] = types[1] = name_to_type(buffer);
else {
diff --git a/extensions/libip6t_rt.c b/extensions/libip6t_rt.c
index 3cb3b249d8995..9708b5a0c42f3 100644
--- a/extensions/libip6t_rt.c
+++ b/extensions/libip6t_rt.c
@@ -73,10 +73,9 @@ parse_addresses(const char *addrstr, struct in6_addr *addrp)
{
char *buffer, *cp, *next;
unsigned int i;
-
- buffer = strdup(addrstr);
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
-
+
+ buffer = xtables_strdup(addrstr);
+
for (cp=buffer, i=0; cp && i<IP6T_RT_HOPS; cp=next,i++)
{
next=strchr(cp, ',');
diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
index 4907a2e83d066..5b33fd23f6e36 100644
--- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c
@@ -79,9 +79,7 @@ parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info)
char *arg, *colon, *dash, *error;
const struct in_addr *ip;
- arg = strdup(orig_arg);
- if (arg == NULL)
- xtables_error(RESOURCE_PROBLEM, "strdup");
+ arg = xtables_strdup(orig_arg);
memset(&range, 0, sizeof(range));
colon = strchr(arg, ':');
@@ -302,9 +300,7 @@ parse_to_v2(const char *orig_arg, int portok, struct nf_nat_range2 *range)
char *arg, *colon, *dash, *error;
const struct in_addr *ip;
- arg = strdup(orig_arg);
- if (arg == NULL)
- xtables_error(RESOURCE_PROBLEM, "strdup");
+ arg = xtables_strdup(orig_arg);
colon = strchr(arg, ':');
if (colon) {
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index e92d811c2bc93..c655439ec9192 100644
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -73,9 +73,7 @@ parse_to(const char *orig_arg, int portok, struct ipt_natinfo *info)
char *arg, *colon, *dash, *error;
const struct in_addr *ip;
- arg = strdup(orig_arg);
- if (arg == NULL)
- xtables_error(RESOURCE_PROBLEM, "strdup");
+ arg = xtables_strdup(orig_arg);
memset(&range, 0, sizeof(range));
colon = strchr(arg, ':');
diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
index aea3e20be4818..abd420fcc0032 100644
--- a/extensions/libxt_dccp.c
+++ b/extensions/libxt_dccp.c
@@ -85,7 +85,7 @@ parse_dccp_types(const char *typestring)
uint16_t typemask = 0;
char *ptr, *buffer;
- buffer = strdup(typestring);
+ buffer = xtables_strdup(typestring);
for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
unsigned int i;
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index 7f1d2a402c4fd..3f3c43010ee2a 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -508,10 +508,7 @@ static void hashlimit_mt6_init(struct xt_entry_match *match)
static int parse_mode(uint32_t *mode, const char *option_arg)
{
char *tok;
- char *arg = strdup(option_arg);
-
- if (!arg)
- return -1;
+ char *arg = xtables_strdup(option_arg);
for (tok = strtok(arg, ",|");
tok;
diff --git a/extensions/libxt_iprange.c b/extensions/libxt_iprange.c
index 8be2481497b8d..04ce7b364f1c6 100644
--- a/extensions/libxt_iprange.c
+++ b/extensions/libxt_iprange.c
@@ -73,11 +73,9 @@ iprange_parse_spec(const char *from, const char *to, union nf_inet_addr *range,
static void iprange_parse_range(const char *oarg, union nf_inet_addr *range,
uint8_t family, const char *optname)
{
- char *arg = strdup(oarg);
+ char *arg = xtables_strdup(oarg);
char *dash;
- if (arg == NULL)
- xtables_error(RESOURCE_PROBLEM, "strdup");
dash = strchr(arg, '-');
if (dash == NULL) {
iprange_parse_spec(arg, arg, range, family, optname);
diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
index 07ad4cfd4e519..4a42fa38238b9 100644
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -87,8 +87,7 @@ parse_multi_ports(const char *portstring, uint16_t *ports, const char *proto)
char *buffer, *cp, *next;
unsigned int i;
- buffer = strdup(portstring);
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
+ buffer = xtables_strdup(portstring);
for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++)
{
@@ -109,8 +108,7 @@ parse_multi_ports_v1(const char *portstring,
char *buffer, *cp, *next, *range;
unsigned int i;
- buffer = strdup(portstring);
- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
+ buffer = xtables_strdup(portstring);
for (i=0; i<XT_MULTI_PORTS; i++)
multiinfo->pflags[i] = 0;
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index 140de2653b1ef..59b34684cc7f7 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -69,7 +69,7 @@ parse_sctp_ports(const char *portstring,
char *buffer;
char *cp;
- buffer = strdup(portstring);
+ buffer = xtables_strdup(portstring);
DEBUGP("%s\n", portstring);
if ((cp = strchr(buffer, ':')) == NULL) {
ports[0] = ports[1] = xtables_parse_port(buffer, "sctp");
@@ -163,7 +163,7 @@ parse_sctp_chunk(struct xt_sctp_info *einfo,
int found = 0;
char *chunk_flags;
- buffer = strdup(chunks);
+ buffer = xtables_strdup(chunks);
DEBUGP("Buffer: %s\n", buffer);
SCTP_CHUNKMAP_RESET(einfo->chunkmap);
diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h
index 41dfbd30fc7c1..ad895a7504d9d 100644
--- a/extensions/libxt_set.h
+++ b/extensions/libxt_set.h
@@ -141,7 +141,7 @@ get_set_byname(const char *setname, struct xt_set_info *info)
static void
parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info)
{
- char *saved = strdup(opt_arg);
+ char *saved = xtables_strdup(opt_arg);
char *ptr, *tmp = saved;
int i = 0;
@@ -167,7 +167,7 @@ parse_dirs_v0(const char *opt_arg, struct xt_set_info_v0 *info)
static void
parse_dirs(const char *opt_arg, struct xt_set_info *info)
{
- char *saved = strdup(opt_arg);
+ char *saved = xtables_strdup(opt_arg);
char *ptr, *tmp = saved;
while (info->dim < IPSET_DIM_MAX && tmp != NULL) {
diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
index 58f3c0a0c3c28..383e4db5b5e23 100644
--- a/extensions/libxt_tcp.c
+++ b/extensions/libxt_tcp.c
@@ -43,7 +43,7 @@ parse_tcp_ports(const char *portstring, uint16_t *ports)
char *buffer;
char *cp;
- buffer = strdup(portstring);
+ buffer = xtables_strdup(portstring);
if ((cp = strchr(buffer, ':')) == NULL)
ports[0] = ports[1] = xtables_parse_port(buffer, "tcp");
else {
@@ -83,7 +83,7 @@ parse_tcp_flag(const char *flags)
char *ptr;
char *buffer;
- buffer = strdup(flags);
+ buffer = xtables_strdup(flags);
for (ptr = strtok(buffer, ","); ptr; ptr = strtok(NULL, ",")) {
unsigned int i;
diff --git a/include/xtables.h b/include/xtables.h
index df1eaee326643..107ad7d65e6fc 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -453,6 +453,7 @@ extern void xtables_set_nfproto(uint8_t);
extern void *xtables_calloc(size_t, size_t);
extern void *xtables_malloc(size_t);
extern void *xtables_realloc(void *, size_t);
+char *xtables_strdup(const char *);
extern int xtables_insmod(const char *, const char *, bool);
extern int xtables_load_ko(const char *, bool);
diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
index 98d03dda98d2b..6cf059fb67292 100644
--- a/iptables/iptables-xml.c
+++ b/iptables/iptables-xml.c
@@ -213,8 +213,8 @@ saveChain(char *chain, char *policy, struct xt_counters *ctr)
"%s: line %u chain name invalid\n",
prog_name, line);
- chains[nextChain].chain = strdup(chain);
- chains[nextChain].policy = strdup(policy);
+ chains[nextChain].chain = xtables_strdup(chain);
+ chains[nextChain].policy = xtables_strdup(policy);
chains[nextChain].count = *ctr;
chains[nextChain].created = 0;
nextChain++;
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index 6b6e6da40a826..7fd78654b280a 100644
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -40,7 +40,7 @@ static void cache_chain_list_insert(struct list_head *list, const char *name)
}
new = xtables_malloc(sizeof(*new));
- new->name = strdup(name);
+ new->name = xtables_strdup(name);
list_add_tail(&new->head, pos ? &pos->head : list);
}
@@ -56,7 +56,7 @@ void nft_cache_level_set(struct nft_handle *h, int level,
return;
if (!req->table)
- req->table = strdup(cmd->table);
+ req->table = xtables_strdup(cmd->table);
else
assert(!strcmp(req->table, cmd->table));
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
index 9b0c964847615..8dccdd734b156 100644
--- a/iptables/nft-cmd.c
+++ b/iptables/nft-cmd.c
@@ -11,6 +11,7 @@
#include <stdlib.h>
#include <string.h>
+#include <xtables.h>
#include "nft.h"
#include "nft-cmd.h"
@@ -27,9 +28,9 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
return NULL;
cmd->command = command;
- cmd->table = strdup(table);
+ cmd->table = xtables_strdup(table);
if (chain)
- cmd->chain = strdup(chain);
+ cmd->chain = xtables_strdup(chain);
cmd->rulenum = rulenum;
cmd->verbose = verbose;
@@ -43,7 +44,7 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
cmd->obj.rule = rule;
if (!state->target && strlen(state->jumpto) > 0)
- cmd->jumpto = strdup(state->jumpto);
+ cmd->jumpto = xtables_strdup(state->jumpto);
}
list_add_tail(&cmd->head, &h->cmd_list);
@@ -238,7 +239,7 @@ int nft_cmd_chain_user_rename(struct nft_handle *h,const char *chain,
if (!cmd)
return 0;
- cmd->rename = strdup(newname);
+ cmd->rename = xtables_strdup(newname);
nft_cache_level_set(h, NFT_CL_CHAINS, cmd);
@@ -304,7 +305,7 @@ int nft_cmd_chain_set(struct nft_handle *h, const char *table,
if (!cmd)
return 0;
- cmd->policy = strdup(policy);
+ cmd->policy = xtables_strdup(policy);
if (counters)
cmd->counters = *counters;
@@ -389,7 +390,7 @@ int ebt_cmd_user_chain_policy(struct nft_handle *h, const char *table,
if (!cmd)
return 0;
- cmd->policy = strdup(policy);
+ cmd->policy = xtables_strdup(policy);
nft_cache_level_set(h, NFT_CL_RULES, cmd);
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 9a1f465a5a6d3..4027d9240215e 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -435,7 +435,7 @@ void add_argv(struct argv_store *store, const char *what, int quoted)
xtables_error(PARAMETER_PROBLEM,
"Trying to store NULL argument\n");
- store->argv[store->argc] = strdup(what);
+ store->argv[store->argc] = xtables_strdup(what);
store->argvattr[store->argc] = quoted;
store->argv[++store->argc] = NULL;
}
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 6947441fec659..1931e3896262a 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -368,6 +368,18 @@ void *xtables_realloc(void *ptr, size_t size)
return p;
}
+char *xtables_strdup(const char *s)
+{
+ char *dup = strdup(s);
+
+ if (!dup) {
+ perror("ip[6]tables: strdup failed");
+ exit(1);
+ }
+
+ return dup;
+}
+
static char *get_modprobe(void)
{
int procfile;
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index 0dcdf607f4678..9d3ac5c8066cb 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -604,9 +604,7 @@ static void xtopt_parse_mport(struct xt_option_call *cb)
unsigned int maxiter;
int value;
- wp_arg = lo_arg = strdup(cb->arg);
- if (lo_arg == NULL)
- xt_params->exit_err(RESOURCE_PROBLEM, "strdup");
+ wp_arg = lo_arg = xtables_strdup(cb->arg);
maxiter = entry->size / esize;
if (maxiter == 0)
@@ -747,9 +745,7 @@ static void xtopt_parse_hostmask(struct xt_option_call *cb)
xtopt_parse_host(cb);
return;
}
- work = strdup(orig_arg);
- if (work == NULL)
- xt_params->exit_err(PARAMETER_PROBLEM, "strdup");
+ work = xtables_strdup(orig_arg);
p = strchr(work, '/'); /* by def this can't be NULL now */
*p++ = '\0';
/*
@@ -1139,11 +1135,7 @@ struct xtables_lmap *xtables_lmap_init(const char *file)
goto out;
}
lmap_this->id = id;
- lmap_this->name = strdup(cur);
- if (lmap_this->name == NULL) {
- free(lmap_this);
- goto out;
- }
+ lmap_this->name = xtables_strdup(cur);
lmap_this->next = NULL;
if (lmap_prev != NULL)
--
2.31.1

View File

@ -0,0 +1,31 @@
From 2b659cc251cd4a6d15e2c5962bb763c8dea48e1a Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Wed, 2 Jun 2021 15:15:37 +0200
Subject: [PATCH] extensions: libxt_string: Avoid buffer size warning for
strncpy()
If the target buffer does not need to be null-terminated, one may simply
use memcpy() and thereby avoid any compiler warnings.
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 68ed965b35cdc7b55d4ebc0ba37c1ac078ccbafb)
---
extensions/libxt_string.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/extensions/libxt_string.c b/extensions/libxt_string.c
index 7c6366cbbf1b3..739a8e7fd66b6 100644
--- a/extensions/libxt_string.c
+++ b/extensions/libxt_string.c
@@ -81,7 +81,7 @@ parse_string(const char *s, struct xt_string_info *info)
{
/* xt_string does not need \0 at the end of the pattern */
if (strlen(s) <= XT_STRING_MAX_PATTERN_SIZE) {
- strncpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
+ memcpy(info->pattern, s, XT_STRING_MAX_PATTERN_SIZE);
info->patlen = strnlen(s, XT_STRING_MAX_PATTERN_SIZE);
return;
}
--
2.31.1

View File

@ -5,12 +5,12 @@ ARPTABLES_CONFIG=/etc/sysconfig/arptables
# compat for removed initscripts dependency # compat for removed initscripts dependency
success() { success() {
echo -n "[ OK ]" echo "[ OK ]"
return 0 return 0
} }
failure() { failure() {
echo -n "[FAILED]" echo "[FAILED]"
return 1 return 1
} }
@ -21,31 +21,28 @@ start() {
# don't do squat if we don't have the config file # don't do squat if we don't have the config file
if [ -f $ARPTABLES_CONFIG ]; then if [ -f $ARPTABLES_CONFIG ]; then
echo -n $"Applying arptables firewall rules: " printf "Applying arptables firewall rules: "
/usr/sbin/arptables-restore < $ARPTABLES_CONFIG && \ /usr/sbin/arptables-restore < $ARPTABLES_CONFIG && \
success || \ success || \
failure failure
echo
touch /var/lock/subsys/arptables touch /var/lock/subsys/arptables
else else
failure failure
echo echo "Configuration file /etc/sysconfig/arptables missing"
echo $"Configuration file /etc/sysconfig/arptables missing"
exit 6 exit 6
fi fi
} }
stop() { stop() {
echo -n $"Removing user defined chains:" printf "Removing user defined chains: "
arptables -X && success || failure arptables -X && success || failure
echo -n $"Flushing all chains:" printf "Flushing all chains: "
arptables -F && success || failure arptables -F && success || failure
echo -n $"Resetting built-in chains to the default ACCEPT policy:" printf "Resetting built-in chains to the default ACCEPT policy: "
arptables -P INPUT ACCEPT && \ arptables -P INPUT ACCEPT && \
arptables -P OUTPUT ACCEPT && \ arptables -P OUTPUT ACCEPT && \
success || \ success || \
failure failure
echo
rm -f /var/lock/subsys/arptables rm -f /var/lock/subsys/arptables
} }

View File

@ -23,7 +23,6 @@ VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables
# ebtables-config defaults # ebtables-config defaults
EBTABLES_SAVE_ON_STOP="no" EBTABLES_SAVE_ON_STOP="no"
EBTABLES_SAVE_ON_RESTART="no"
EBTABLES_SAVE_COUNTER="no" EBTABLES_SAVE_COUNTER="no"
# load config if existing # load config if existing
@ -49,7 +48,7 @@ sanitize_dump() {
local table="${line#\*}" local table="${line#\*}"
local found=false local found=false
for t in $EBTABLES_TABLES; do for t in $EBTABLES_TABLES; do
if [[ $t == $table ]]; then if [[ $t == "$table" ]]; then
found=true found=true
break break
fi fi

View File

@ -11,7 +11,7 @@ Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities Summary: Tools for managing Linux kernel packet filtering capabilities
URL: https://www.netfilter.org/projects/iptables URL: https://www.netfilter.org/projects/iptables
Version: 1.8.7 Version: 1.8.7
Release: 11%{?dist} Release: 12%{?dist}
Source: %{url}/files/%{name}-%{version}.tar.bz2 Source: %{url}/files/%{name}-%{version}.tar.bz2
Source1: iptables.init Source1: iptables.init
Source2: iptables-config Source2: iptables-config
@ -28,6 +28,15 @@ Patch1: 0001-ebtables-Exit-gracefully-on-invalid-table-names.patch
Patch2: 0002-xtables-translate-Fix-translation-of-odd-netmasks.patch Patch2: 0002-xtables-translate-Fix-translation-of-odd-netmasks.patch
Patch3: 0003-Eliminate-inet_aton-and-inet_ntoa.patch Patch3: 0003-Eliminate-inet_aton-and-inet_ntoa.patch
Patch4: 0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch Patch4: 0004-nft-arp-Make-use-of-ipv4_addr_to_string.patch
Patch5: 0005-libxtables-Drop-leftover-variable-in-xtables_numeric.patch
Patch6: 0006-extensions-libebt_ip6-Drop-unused-variables.patch
Patch7: 0007-libxtables-Fix-memleak-in-xtopt_parse_hostmask.patch
Patch8: 0008-nft-Avoid-memleak-in-error-path-of-nft_cmd_new.patch
Patch9: 0009-nft-Avoid-buffer-size-warnings-copying-iface-names.patch
Patch10: 0010-iptables-apply-Drop-unused-variable.patch
Patch11: 0011-extensions-libebt_ip6-Use-xtables_ip6parse_any.patch
Patch12: 0012-libxtables-Introduce-xtables_strdup-and-use-it-every.patch
Patch13: 0013-extensions-libxt_string-Avoid-buffer-size-warning-fo.patch
# pf.os: ISC license # pf.os: ISC license
# iptables-apply: Artistic 2.0 # iptables-apply: Artistic 2.0
@ -423,6 +432,19 @@ fi
%changelog %changelog
* Thu Jun 10 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-12
- arptables-nft-helper: Remove bashisms
- ebtables-helper: Drop unused variable, add a missing quote
- extensions: libxt_string: Avoid buffer size warning for strncpy()
- libxtables: Introduce xtables_strdup() and use it everywhere
- extensions: libebt_ip6: Use xtables_ip6parse_any()
- iptables-apply: Drop unused variable
- nft: Avoid buffer size warnings copying iface names
- nft: Avoid memleak in error path of nft_cmd_new()
- libxtables: Fix memleak in xtopt_parse_hostmask()
- extensions: libebt_ip6: Drop unused variables
- libxtables: Drop leftover variable in xtables_numeric_to_ip6addr()
* Wed May 12 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-11 * Wed May 12 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-11
- Fix License name in spec file - Fix License name in spec file
- Eliminate inet_aton() and inet_ntoa() - Eliminate inet_aton() and inet_ntoa()